Phishing
Homoglyphs
Homoglyphs are Unicode characters that look visually similar to an ASCII character, but are different. You can use these to make your phishing attacks more convincing.
Note: Gmail shows a warning when this is used, but not all email providers do.
Also, you can register a domain with a homoglyph and direct users there.
Fake Window
Using Javascript, you can make a fake window that looks exactly like Facebook and that asks you for the login (for OAuth logins).
Reverse Tabnabbing
If a website has a link like this:
Or like this:
Then it’s vulnerable to reverse tabnabbing (tested 23 May 2019 on Firefox and Chrome).
Note: target="_blank" is used to get the link to open in a new tab.
When you have target="_blank", then you should also really have rel="noopener noreferrer" next to it. Otherwise, bad.example.com will have the window.opener object available to it.
If the website bad.example.com runs this Javascript:
Then the original tab will be redirected to a phishing site.
Example: Facebook lets you link to your site using target="_blank". On your site, you run the above Javascript and the original Facebook tab will be redirected to https://phish.example.com. Assuming you control that domain, you can have it be a phishing site that asks the user to re-enter their password, or something similar.
Spear Phishing
Targeted attacks:
Email Spoofing
One way to do this is via open relay servers, but those might get blacklisted and there’s a better alternative:
Buy a domain (or use a free one that allows emails to be sent, like 000webhostapp) and create a PHP script that allows you to send emails with custom SMTP headers.
This works after changing the form action in index.php:
Note: the script doesn't accept unicode.
Hosted at http://oger55.000webhostapp.com/spoofer/
Last updated
